Security Now 264
Topic: Side Channel Privacy Leaking
Recorded: August 31, 2010
Published: August 31, 2010
Security Now 264: Side Channel Privacy Leakage
News & Errata
6:42 - 7:14
- None this week
7:15 - 9:30
- Steve likes the new Kindle
9:31 - 10:48 John Payne (Atlanta, Georgia)
Spinrite fixed a broken computer
Side Channel Privacy Leaking
13:36 - 01:08:12
- Cookies have been a long-term problem for many people who object to the idea that in some fashion their actions are being tracked across the Internet.
- Cookies are used by a website to uniquely identify a user over a period of time
- For example if you want to remain logged into a website cookies are used
- What some clever people recognized was that an advertiser who served ads, a so-called "advertising network" who served ads to many thousands of websites across the Internet, also had cookie privileges, so-called third-party cookie privileges.
- When you go to a site, and that site you go to, whose URL is up in the title bar, that's a first-party cookie because this is the site you're visiting. * But third-party content like advertisements could be served onto the same page.
- Well, those ads have cookie privileges, so-called third-party cookie privileges.
- What that means is that even the ad serves your browser a cookie, which is tied to the advertiser's server.
- If you then visit another website who is using the same advertising network the advertising network knows that you were on the different site earlier
- Many people object to this
- It's possible to identify individual digital cameras from non-uniformity in their optical sensors.
- There's something called "sensor pattern noise" that individual digital camera elements have, that renders individual ones unique, such that, if you look at a number of pictures from different cameras, it's possible, absent any other information, to determine which cameras took which pictures.
- A web fingerprint, or a browser fingerprint, is information which is escaping from our use of a browser when we search the Internet, which we're not aware of.
- Every query which our browser makes to a server contains, by definition, as part of the specification of the way the HTTP protocol works for communicating with servers, contains a bunch of headers.
- One of the other headers which is included in every request that a browser makes to a server, is the user-agent.
- Another header, also part of every query, is the accept header, which is a way for my browser to say to the server, I'm going to accept the following stuff, the following formats.
- There's the accept-language header
How effective is this information at identifying individuals ?
- "Arcot" - claims it is able to ascertain PC clock processor speed along with common browser factors to identify a device.
- "41st Parameter" - looks at more than 100 parameters and at the core of its algorithm is a time differential parameter that measures the time difference between a user's PC down to the millisecond and a time reference.
- "ThreatMetrix" - claims that it can detect irregularities in the TCP/IP stack and can pierce through proxy servers.
- "Iovation" - provides device tagging (through LSO - Local Shared Objects) and clientless fingerprinting and operates a "reputation database" which maintains data on millions of PCs.
- The EFF Panopticlick Experiment:
- During the course of the first half year, this Panopticlick.EFF.org website was visited by 470,161 web browsers, so a little over 470,000 web browsers, just shy of half a million.
- The code which the Panopticlick site ran in people's browsers and also collected passively from their browser
- Http Accept:
- Cookies Enabled?
- Browsers without Flash or Java:
- 83.6% of the browsers seen had an instantaneously unique fingerprint.
- Of those that did not, 5.3% were only one of two identical browsers.
- 18.1 bits of Entropy - 1 in every 286,777 browsers.
- Browsers with Flash or Java:
- 94.2% of browsers were instantaneously unique
- And among non-unique browsers, 4.8% were only seen twice.
- 18.8 bits of entropy - 1 in 456,419
- Only 1.0% of browsers with Flash or Java had anonymity sets larger than two.
- Browser fingerprints evolve over time, but not different enough to prevent tracking the evolution.
- Of the 8,833 browsers that accepted cookies and returned to panopticlick several times over a period of more than 24 hours, 37.4% exhibited at least one fingerprint change... .
- 99.1% of guesses about changing fingerprints were correct.
- Only 0.86% false positive rate.
- HTTP Browser Cookies
- Adobe Flash "Super Cookies"
- LSO - Local Shared Objects
- Browser Query Leakage:
- HTTP Accept: Header
- Micro Version information
- Cookies enabled (or not)
- Scripts enabled (or not)
- Images enabled (or not)
- HTTP User-Agent:
- Fake HTTP User-Agent:
- CSS visited links
- Screen resolution & color depth
- Browser plug-in enumeration
- System Font Enumeration & Enumeration order
- Windows network MAC interface
- ShieldsUP! could often see it - something local *definitely* can
- Browser cache content
- ASN Number - Autonomous System Number (network owner)
- IP Most Significant Bytes
- System Clock Skew
- TCP/IP Stack Fingerprinting
- Note that MOST of the more powerful side-channel attacks require more than a purely passive client... they need scripting, Flash or Java.
- Paradoxically, can be more "identifying" than not. :)
- Since "incremental" changes are trackable, change as much as possible ALL AT ONCE.
- Fingerprint + IP, etc. to reform or merge old and new cookies
- IP, subnet, ASN, etc.
- You're cruising around and DoubleClick.net is tracking by 3rd party cookie *and* simultaneously fingerprinting. You wash your system clean of cookies
- But you step back out onto the Net with the same FINGERPRINT, touch a site with Doubleclick... and cookies are instantly regenerated and re-linked.
- For now, don't worry about it.
- Instead, understand what's being done and BEHAVE accordingly.
- But... Resistance is NOT futile. Doing what you can is still worthwhile.
- Ad Times: 0:58-1:15 and 11:00-13:35
- Edited by: Tony
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|